[ https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244498#comment-16244498 ]
Shane Kumpf commented on YARN-7430: ----------------------------------- I still believe there will be an issue if we do not specify --user. This causes problems for launching the container. Please try running distributed shell or similar using the Dockerfile I provided with --user removed, and you will see the behavior, the container will fail to launch. IIUC, {{\-\-privileged}} == {{\-\-user=root}} (or {{--user=0:0}}) in your view, correct? If so, doing that would satisfy the condition here if we set the user to root for privileged containers. I see some cases where that isn't necessary and I'm unsure how it might impact log aggregation, but I think it could work. > User and Group mapping are incorrect in docker container > -------------------------------------------------------- > > Key: YARN-7430 > URL: https://issues.apache.org/jira/browse/YARN-7430 > Project: Hadoop YARN > Issue Type: Sub-task > Components: security, yarn > Affects Versions: 2.9.0, 3.0.0 > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Blocker > Attachments: YARN-7430.001.patch > > > In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to > enforce user and group for the running user. In YARN-6623, this translated > to --user=test --group-add=group1. The code no longer enforce group > correctly for launched process. > In addition, the implementation in YARN-6623 requires the user and group > information to exist in container to translate username and group to uid/gid. > For users on LDAP, there is no good way to populate container with user and > group information. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org